Web lists-archives.com

Re: [Samba] Issues with mounting Samba shares after update




If you are using SSSD, why use sssd-libwbclient?

I set up recently a Samba file server with SSSD (to use uidNumber and
gidNumber from AD without modifying AD schema because Winbind can't do that
with MS AD, only with Samba AD) and I don't remember to have used anything
about Winbind.

It was on some Debian 9.0.

sssd.conf was:

[sssd]
domains = ad.example.com
config_file_version = 2
services = nss, pam

[domain/ad.example.com]
ad_domain = ad.example.com
krb5_realm = AD.EXAMPLE.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
krb5_store_password_if_offline = True
ldap_sasl_authid = HOSTNAME$

#ldap_id_mapping = True
ldap_id_mapping = False

ldap_schema = ad
access_provider = ad
id_provider = ad

use_fully_qualified_names = False
fallback_homedir = /home/%u
default_shell = /bin/bash

ldap_user_name = samAccountName
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_gecos = DisplayName
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell

and smb.conf was:

[global]
   workgroup = AD
   password server = dc01.ad.example.com
   realm = AD.EXAMPLE.COM
   security = ads
   server string = Samba Server Version %v
   log level = 1
   local master = no
   domain master = no
   preferred master = no


[homes]
   comment = Home Directories
   browseable = no
   writable = yes
   path = /home/%u

Please note its late here, I did that quickly this summer and that was
grabbed from notes I took, not sure it work as is...


2017-08-28 21:41 GMT+02:00 Kristian Petersen via samba <
samba@xxxxxxxxxxxxxxx>:

> Actually it isn't part of AD at all.   We are using FreeIPA and Samba.  We
> just finally figured this out with the help of some folks at Red Hat.  It
> turned out there was a bug in one of the libraries that came along with
> sssd (sssd-libwbclient I believe).  Their suggestion to use winbind and the
> version of the same library that came with it seems to have solved our
> problem instantly.  It appears that Red Hat is recommending not upgrading
> to RHEL 7.4 until this bug is resolved.
>
> However, a new file server we are setting up that appears to have the same
> issue is not fixed by doing those same things making it a bit confusing.
> We have compared config files between them, and they appear to be the same,
> which makes it even more confusing.
>
> On Mon, Aug 28, 2017 at 8:26 AM, Emmanuel Florac <eflorac@xxxxxxxxxxxxxx>
> wrote:
>
> > Le Fri, 18 Aug 2017 13:28:25 -0600
> > Kristian Petersen via samba <samba@xxxxxxxxxxxxxxx> écrivait:
> >
> > > Our fileserver (running RHEL 7.4) has suddenly stopped allowing
> > > access to network shares through Samba.  It is running Samba 4.6.2.
> > > When someone tries to mount a shared folder it prompts them for a
> > > username and password which fails even when the password is correct,
> > > rather than using their valid Kerberos ticket as it has in the past.
> > > Anyone here has a similar experience or suggestions as to where to
> > > begin?  The NT Hashes stored in LDAP are definitely accessible to the
> > > server (we ran some test ldapsearch commands), so even if we weren't
> > > using Kerberos that should be working (but it isn't).
> >
> > Kerberos ticket, so I suppose it's part of an AD domain. Maybe your
> > server clock has drifted away from the ADS? What does "net ads
> > testjoin" say?
> >
> > --
> > ------------------------------------------------------------------------
> > Emmanuel Florac     |   Direction technique
> >                     |   Intellique
> >                     |   <eflorac@xxxxxxxxxxxxxx>
> >                     |   +33 1 78 94 84 02
> > ------------------------------------------------------------------------
> >
>
>
>
> --
> Kristian Petersen
> System Administrator
> Dept. of Chemistry and Biochemistry
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba